On October 6, 2016, Princeton Medicine physician Dr. Melissa D. Selke discovered an unauthorized individual gained access to a server containing the electronic protected health information of more than 4,200 patients and used that access to install ransomware.

The ransomware encrypted a range of files on the server including an information system containing patients’ names, phone numbers, addresses, Social Security numbers, driver’s license numbers, health insurance details, medical record numbers, diagnoses, treatment information, treating physician information, and treatment dates.

Upon discovery of the ransomware infection, a computer forensics expert was brought in to conduct a thorough investigation. It was possible to rapidly restore the encrypted files; however, the investigation revealed that the person behind the attack could potentially have viewed and copied patient data. No evidence was uncovered to suggest that this was the case, although it was not possible to rule out the possibility that ePHI had been accessed.

The Hillsborough, NJ-based physician has now informed state regulators and the Department of Health and Human Services’ Office for Civil Rights of the potential data breach. The breach report indicates 4,277 individuals have been impacted. All patients are being contacted by mail and informed of the potential exposure of their ePHI and have been provided with further information and resources explaining the actions that can be taken by patients to reduce the risk of identity theft and fraud.

According to Dr. Selke, “We are taking steps to help prevent another incident of this kind from happening, and continue to review our processes, policies, and procedures that address data privacy.”

2016 has been a bad year for ransomware attacks on U.S. healthcare providers; but as we head into 2017, there are no signs that the attacks will abate. In fact, security experts have predicted that the situation will get worse before it gets better and the number of attacks will increase.

Healthcare organizations large and small must therefore prepare for ransomware attacks. Data should be regularly backed up and stored in the cloud or on air-gapped storage devices and a ransomware response plan should be developed that can be rapidly implemented in the event of an attack to reduce the impact on patients.

Further information on ransomware and how to protect networks can be obtained from US-CERT on this link.

The post Princeton Medicine Ransomware Attack Reported appeared first on HIPAA Journal.

On October 6, 2016, Princeton Medicine physician Dr. Melissa D. Selke discovered an unauthorized individual gained access to a server containing the electronic protected health information of more than 4,200 patients and used that access to install ransomware.

The ransomware encrypted a range of files on the server including an information system containing patients’ names, phone numbers, addresses, Social Security numbers, driver’s license numbers, health insurance details, medical record numbers, diagnoses, treatment information, treating physician information, and treatment dates.

Upon discovery of the ransomware infection, a computer forensics expert was brought in to conduct a thorough investigation. It was possible to rapidly restore the encrypted files; however, the investigation revealed that the person behind the attack could potentially have viewed and copied patient data. No evidence was uncovered to suggest that this was the case, although it was not possible to rule out the possibility that ePHI had been accessed.

The Hillsborough, NJ-based physician has now informed state regulators and the Department of Health and Human Services’ Office for Civil Rights of the potential data breach. The breach report indicates 4,277 individuals have been impacted. All patients are being contacted by mail and informed of the potential exposure of their ePHI and have been provided with further information and resources explaining the actions that can be taken by patients to reduce the risk of identity theft and fraud.

According to Dr. Selke, “We are taking steps to help prevent another incident of this kind from happening, and continue to review our processes, policies, and procedures that address data privacy.”

2016 has been a bad year for ransomware attacks on U.S. healthcare providers; but as we head into 2017, there are no signs that the attacks will abate. In fact, security experts have predicted that the situation will get worse before it gets better and the number of attacks will increase.

Healthcare organizations large and small must therefore prepare for ransomware attacks. Data should be regularly backed up and stored in the cloud or on air-gapped storage devices and a ransomware response plan should be developed that can be rapidly implemented in the event of an attack to reduce the impact on patients.

Further information on ransomware and how to protect networks can be obtained from US-CERT on this link.

The post Princeton Medicine Ransomware Attack Reported appeared first on HIPAA Journal.

Madison, New Jersey-based clinical laboratory service provider Quest Diagnostics is alerting 34,000 patients that some of their electronic protected health information (ePHI) has been stolen. Quest Diagnostics is business associate of many healthcare providers across the United States. Consequently, patients across the United States have been impacted by the breach.

On November 26, 2016, an unknown individual gained access to the MyQuest by Care360® Internet application and successfully exfiltrated a range of patient data. The intrusion was detected two days later when staff returned to work on Monday.

Upon discovery of the breach, access to the Internet application was blocked to prevent any further data from being accessed or copied and a leading cybersecurity firm was contracted to conduct a thorough investigation of the breach.

The investigation revealed that patients’ test results were copied along with names, dates of birth, and some telephone numbers, although no highly sensitive data such as Social Security numbers, health Insurance information, or financial data were accessed or copied. The cybersecurity firm is also conducting a thorough assessment of cybersecurity protections in place to prevent unauthorized data access. Upon conclusion of that assessment, additional protections will be put in place to prevent future breaches of this nature from occurring.

Quest Diagnostics responded promptly to the breach and has issued notification letters to patients under two weeks after the breach was first discovered, well inside the 60-day breach notification time limit stipulated by the Health Insurance Portability and Accountability Act (HIPAA).

While it has only been two weeks since the breach, Quest Diagnostics has not received any reports of patient data being misused to date. Quest Diagnostics has told patients “we do not believe that you need to take any steps at this time to protect yourself in response to this breach.”

The breach has been reported to the federal law enforcement agencies, and the Department of Health and Human Services’ Office for Civil Rights and state attorneys general have also been notified.

The post Quest Diagnostics Announces 34,000-Record ePHI Breach appeared first on HIPAA Journal.

A further 4,100 cardiac patients have been notified that some of their protected health information was exposed due to a security breach at Wilmington, DE-based Ambucor Health Solutions (AHS). The patients had previously had cardiac devices fitted at the New Mexico Heart Institute in Albuquerque.

The Heart Institute contracted Ambucor Health Solutions to provide a cardiac monitoring service for its patients. AHS had implemented appropriate technical, physical, and administrative safeguards to prevent the unauthorized disclosure of patients’ electronic protected health information in accordance with HIPAA Rules; however, a former AHS employee breached company policies and accessed and copied patients’ ePHI to two flash drives prior to leaving employment.

The data copied to the devices included patients’ names, birthdates, phone numbers, addresses, medication information, testing data, information about patients’ medical devices, where the patient had the device fitted, the name of the technician who fitted the device, and the name of patients’ physicians.

It is unclear why the data was copied, although AHS does not believe any of the information has been used inappropriately or disclosed to anyone other than the employee who copied the data. The flash drives have since been recovered via law enforcement. An analysis of the data on the devices showed no Social Security numbers, financial data, or insurance information were compromised. At this stage it is unclear whether the former AHS employee will face criminal charges. Both AHS and the New Mexico Heart Institute have taken further precautions to prevent future ePHI breaches of this nature from occurring.

Ambucor Health Solutions is providing affected patients with identity theft protection services and cover with a $1 million identity theft insurance policy, but it is the responsibility of each covered entity to submit its own breach report to the Department of Health and Human Services’ Office for Civil Rights. It is therefore unclear at this stage exactly how many patients have been impacted by the breach. This announcement brings the running total of individuals affected by the Ambucor Health Solutions breach to 9,657. Those individuals reside in Massachusetts, New Hampshire, New Mexico, Pennsylvania, and South Carolina.

The post Further 4,100 Cardiac Patients Notified of Breach of ePHI appeared first on HIPAA Journal.

18,854 health plan members have been notified of a potential breach of their protected health information following the loss of a compact disc in the mail.

An employee at Aetna Signature Administrators (ASA), a provider of network and management services to group health plans, mailed a CD containing sensitive health plan members’ information to another ASA employee. The CD was mailed on September 6 and the envelope was delivered on September 9; however, the CD was missing from the envelope.

The CD contained reports that had been provided to ASA by health plans or health plan administrators. The reports were used by ASA to evaluate and select programs and services for health plan members.

The reports contained the dates of birth of health plan members along with their Social Security numbers, and in some instances, names and addresses. Individuals impacted by the incident were notified of the potential ePHI breach last month.

Since Social Security numbers were exposed, ASA has offered all affected individuals a year of identity theft protection services through Equifax (Equifax Credit Watch Gold) without charge. The services are provided as a precaution against identity theft and fraud. ASA has not received any reports to suggest the CD has been accessed or used by unauthorized individuals. Neither ASA nor the U.S. Postal Services has located the missing CD.

This is the second incident of this nature to be reported in the past week. Last week, OptumHealth New Mexico announced that a business associate had mailed an unencrypted flash drive in the mail, but it failed to arrive at its destination.

ASA has now taken the decision to stop mailing CDs containing ePHI and will use other, more secure methods of communication in the future. Staff members have also been retrained on handling sensitive health plan members’ information and health plans have been instructed not to include members’ Social Security numbers in reports submitted to ASA.

The post Lost CD Contained Social Security Numbers of 18,854 Health Plan Members appeared first on HIPAA Journal.

West Covina, CA-based East Valley Community Health Center (EVCHC) has started notifying patients that some of their electronic protected health information was compromised when ransomware was installed on one of its servers.

The ransomware attack occurred on October 18, 2016 and involved a ransomware variant called Troldesh/Shade. As with other forms of ransomware, Troldesh conducts scans of its local environment and encrypts a wide range of file types with an asymmetric encryption algorithm, preventing the files from being accessed.

Troldesh is supplied by the ransomware author as a development kit, which allows affiliates to run their own ransomware campaigns. The ransomware is usually distributed via spam email campaigns via file attachments containing malicious JavaScript code. However, in this case, an unauthorized individual logged onto a EVCHC server and installed the ransomware.

Many different files were encrypted, one of which contained the electronic health information of EVCHC patients. The file was used by EVCHC for logging claims that had been submitted to health plans. The file contained names, addresses, birthdates, medical record numbers, insurance account numbers, and health diagnosis codes. No financial information, Social Security numbers, nor Driver’s license numbers were present in any of the encrypted files.

Ransomware is typically used to extract a ransom payment from the victim, not to gain access to sensitive information. However, it is possible that the attacker was able to view the ePHI contained in the file. No evidence of file access or exfiltration was discovered by EVCHC.

EVCHC has not disclosed how many individuals were affected by the incident, although the ransomware attack has now been reported to the Department of Health and Human Services’ Office for Civil Rights and the California Attorney General’s office.

Steps have been taken to reduce the likelihood of future ransomware attacks, including the implementation of additional technical controls and the transfer of patient’ protected health information to a third party off-site server maintained by a health information technology company. EVCHC will also be conducting a full review of privacy practices and updates will be made, as appropriate, to maintain the highest level of privacy for patients.

The post Ransomware Attack Reported by East Valley Community Health Center appeared first on HIPAA Journal.

According to figures from the Federal Trade Commission, Florida is one of the top three states for fraud and identity theft. Criminals in the state use stolen consumer data to steal identities and file fraudulent tax returns, with the data often coming from healthcare organizations.

Fraudsters often target the lowest paid healthcare workers and pay them to steal patients’ personal information and Social Security numbers. Many Florida hospitals have fired employees who have been discovered to have abused their access to patient health information and passed stolen information on to identity thieves.

Victims of fraud can suffer considerable losses which can prove difficult to recover. Legal action can be taken against the healthcare organizations that experience internal data breaches, although the lawsuits very rarely succeed.

One such lawsuit was filed against Tampa General Hospital. The class action lawsuit – John Doe v. Florida Health Sciences Center Inc. d/b/a Tampa General Hospital – alleged the hospital had been negligent for failing to protect patient data; breached its fiduciary duty, breached an implied contract, and violated Florida’s Deceptive and Unfair Trade Practices Act.

The plaintiffs claimed that in May 2014, the hospital had “actual or constructive knowledge that unknown individuals wrongfully accessed and obtained Plaintiff’s and Class Members’ PHI and PII in Defendant’s possession which included names, addresses, dates of birth, Social Security numbers, admitting diagnoses, and insurers.”

The lawsuit listed numerous cases of data theft at the hospital between 2012 and 2015, including an incident in 2014 that was uncovered by the Tampa Police Department. An individual was arrested and found to be in possession of patient records that had been stolen from Tampa General. The individual did not work at the hospital but had allegedly obtained the data from a hospital employee.

According to the lawsuit, many patients had suffered losses due to identity theft following the theft of data from the hospital. Even if losses had not been suffered, patients now face an increased risk of identity theft and fraud due to the hospital’s failure to protect their sensitive information. The lawsuit claims Tampa General Hospital’s “history of protecting patient information has been poor.”

Lawsuits filed against organizations that have experienced data breaches rarely succeed, even when plaintiffs can prove losses have been suffered following a data breach. However, the lawsuit against Tampa General Hospital was successful. Tampa General has recently agreed to a settlement with the plaintiff and class members.

Tampa General has agreed to pay the plaintiffs $10,000 in damages and up to $7,500 to cover the plaintiffs’ attorney fees and litigation expenses. In order to qualify for a percentage of the settlement, plaintiffs must be able to demonstrate that they have suffered actual losses as a result of the breach.

Tampa General Hospital denies any wrongdoing and maintains that it is not responsible for the alleged actions of some of its former employees. The decision to settle the case was taken to avoid the expense and burden of taking the case to trial.

The post Tampa General Hospital Settles Class Action Data Breach Lawsuit appeared first on HIPAA Journal.

A nurse employed by Glendale Adventist Medical Center in Glendale, CA has been fired for inappropriately accessing the medical records of 528 patients of the medical center and White Memorial Medical Center in Boyle Heights, CA.

The privacy breach was discovered in June 2016, although it is unclear when the nurse first started inappropriately accessing patient data. Glendale Adventist Medical Center discovered patient data were being accessed during a routine security review.

An investigation into the privacy violations was launched after access logs showed that the employee had been abusing data access privileges. The nurse had been provided with access to ePHI in order to perform work duties. The former employee worked as a per-diem nurse according to a report in the Los Angeles Times.

The investigation into the privacy breaches is ongoing, and as such, only a limited amount of information has been released. A spokesperson for Glendale Adventist Medical Center did confirm with the L.A Times that sensitive patient information that was potentially accessed included names, addresses, dates of birth, Social Security numbers, and medical diagnoses. It is unclear whether data were accessed out of curiosity or whether information was accessed with malicious intent.

All patients whose personal information was accessed by the former employee have now been contacted by mail and informed of the incident. Additional steps have now been taken at the medical center to prevent future privacy breaches from occurring.

The incident shows that while it is important to implement a host of security defenses to protect the electronic protected health information of patients from external attacks, it is also important to take steps to protect against insider breaches.

It may not be possible to prevent members of staff from inappropriately accessing ePHI, but conducting regular audits of data access logs will limit the damage caused in the event that rogue employees abuse their data access rights.

The post Glendale Adventist Medical Center Fires Nurse for Inappropriately Accessing ePHI appeared first on HIPAA Journal.

Sagewood, a retirement community in Phoenix, AZ, has notified 800 current and former residents about a ransomware attack that has potentially resulted in some of their electronic protected health information (ePHI) being accessed by the attackers.

Sagewood enlisted the services of a computer forensics firm to investigate the attack. According to the substitute breach notice on the Sagewood website, the attack was short-lived. It was possible to isolate and contain the infection within an hour of it being discovered.

Since it is possible that access to ePHI was gained, the incident has been reported to the Department of Health and Human Services’ Office for Civil Rights in accordance with HIPAA Rules. Patients have also been notified of the incident by mail if they have been affected.

Ransomware locks files with powerful encryption which prevents the victims from gaining access to their data. After files are locked, the victims are presented with a ransom demand. Payment must be made in order to receive the key to unlock the encryption.

Ransomware could also potentially give the attackers access to sensitive data, although typically the attacks are performed only to obtain ransom payments. However, in this case, files were locked but no ransom demand was received.

It is unclear whether the ransomware variant used in the attack failed, or if the attackers had other reasons for locking data.

It is possible that data access was gained and patients’ names, phone numbers, addresses, dates of birth, Medicare numbers, Social Security numbers, and other national ID numbers could potentially have been viewed.

Based on the short time period when data could have been accessed – and the lack of a ransom demand – “Sagewood does not believe that the attack was performed in order to gain access to a “hacker” was looking to compromise or misuse identities or personal information.”

Current and former residents impacted by the incident have been informed to be vigilant nonetheless and monitor payment card statements for any sign of fraudulent activity and to consider placing a fraud alert on their credit cards.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 863 individuals were potentially impacted by the breach.

The post Sagewood Retirement Community Attacked with Ransomware appeared first on HIPAA Journal.